The Sarbanes-Oxley Act, passed in the wake of Enron and other accounting scandals, seeks to reduce the likelihood of fraud by attempting to make public company CEOs and CFOs directly accountable for their businesses' internal controls and financial disclosures. In addition, these senior managers will be the object of greater scrutiny from independent boards, audit committees and external auditors.
Most provisions of the Act apply to US public companies and to non-US public companies listed in the US. UK companies that are either subsidiaries of US listed companies, or are listed in the US of their own right, are directly caught by the provisions of the Act. However, they have a longer lead time in which to comply than their US counter-parts, with the law coming into effect for non-US companies for year ends after 15 April 2005, ten months after the date for US companies.
Since the recent spate of accounting scandals involving European companies, including Ahold, Parmalat and Adecco, there have been calls for European legislation along similar lines to Sarbanes-Oxley. In the UK the Financial Reporting Council issued the Combined Code on 23 July 2003, with listed companies required to be compliant for financial years ending on or after 1 November 2003. The Code, despite heated discussion and debate, contains virtually all of the key recommendations of the Higgs report on corporate governance. Also, on 3 December, the UK government introduced the Companies (Audit, Investigations and Community Enterprise) Bill to the House of Lords. This is aimed at improving the reliability of financial reporting and the independence of auditors. It will also strengthen the powers of company investigators.
Some of the key provisions of Sarbanes-Oxley include:
- CEOs and CFOs of public companies must make personal certifications in each annual or quarterly report filed with or submitted to the SEC. In addition, internal control reports must be filed with companies' annual reports
- All listed companies are required to have an audit committee, entirely comprised of independent, outside directors
- External auditors may not provide many non-audit services contemporaneously with the audit.
Directors' certifications
Sarbanes Oxley requires the CEO or CFO to certify the following:
- The signing officer has 'reviewed' the report
- Based on the officer's knowledge, the report does not contain an untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which they were made, not misleading
- The signing officers are responsible for establishing and maintaining internal controls, and have signed them to ensure discovery of material information
- The signing officers have disclosed to the company's auditors and audit committee all significant deficiencies in the internal control system and any fraud (whether or not material) by management or other employees with a significant role in the internal controls
- Whether or not there were changes in the internal controls or other factors that could significantly affect the controls since the date of their evaluation.
The first two points listed are similar to those proposed in the Companies (Audit, Investigations and Community Enterprise) Bill, whereby the directors' report will have to contain a statement to the effect that, at the time the report is approved, there is no information which has not been disclosed to the company's auditors which:
(A) a director of the company is aware of, or it would be reasonable for a director of the company to obtain by making enquiries
(B) the director knows or ought to know would be relevant for the purposes of the auditors' determination whether the annual accounts have been properly prepared in accordance with the requirements of the Companies Act 1985
(C) the director knows or ought to know that the auditors are not aware of.
In a case where a director makes such a statement, knowing it to be false, or is reckless as to whether it is false, he or she could be found guilty of a criminal offence, unless it can be shown that all reasonable steps to prevent the report from being approved were taken. On indictment, the penalties are imprisonment for up to two years and/or an unlimited fine and, on summary conviction, up to 12 months' imprisonment and/or a fine up to £5,000. Under Sarbanes-Oxley, punishments are far harsher. Violations are punishable by a fine of up to US$1m, imprisonment of up to 10 years, or both. In the case of wilful violations, the maximum fine is US$5m and maximum prison term 20 years.
The additional requirements on internal controls reporting under Sarbanes-Oxley will also require that a company's management identify and assess the risk of fraudulent financial reporting within its own operations and the adequacy of its internal controls. This has resulted in many US companies performing forensic audits of their systems across all their subsidiaries around the world. During such audits the company, typically with the assistance of expert consultants, looks for weaknesses and opportunities for fraud.
A key finding in many fraud investigations is that often the CEO and CFO, either alone or in collusion, were associated with the preparation of the fraudulent financial reporting. This highlights the importance of senior officers' responsibilities being strictly segregated. These controls should also be enforced: another finding common in fraud investigations is that executives have the power to override controls. The expanding role of the audit committee is intended to help address this issue. Its role must include a review of the effectiveness of internal controls and the internal audit function and monitoring of CEO and CFO activity.
Audit committee
Sarbanes-Oxley requires that every public company have an audit committee, which is comprised of members of the board of directors, but is independent in the sense that the directors perform no other corporate duties and receive no other compensation than their directors' fees. At least one member of the audit committee must be a 'financial expert'. The audit committee will be responsible for hiring and compensating both the auditors and any other consultants and is thus the logical body to oversee the entire compliance process from review through to implementation. These provisions are similar to the Combined Code, which states that the board should establish an audit committee of at least three, or in the case of smaller companies, two, members, who should all be independent non-executive directors, at least one of whom has recent and relevant financial experience.
The audit committee members cannot be directors with a high level of equity interest, or some other personal or business connection with the company. Close family relationships among directors, or the concentration of power in too few hands, will also be questioned by the external auditors.
The Act is trying to make the charismatic CEO with a compliant board of inexperienced family members and cronies a thing of the past.
The audit committee must also have the authority and resources to carry out its duties. It should meet at least once a quarter, and the manner of reporting to the full board, plans for conducting the audit, role of legal counsel, selection of external audit engagement, expense and compensation policy of the committee, should all be set out in a written charter.
Since the separation of the audit and accounting firm consulting functions is one of the key elements of Sarbanes-Oxley, the audit committee should be especially aware of all consulting engagements and make sure that there are no conflicts of interest. The committee should also act to ensure the total independence of external auditors, reviewing all consulting and external audit fees.
The chairman of the audit committee should keep an open door policy to a number of people within the organisation, including the head of internal audit, the head of security and the CFO, as well as having good communications with the external auditor's engagement partner. In addition, the Sarbanes-Oxley legislation provides protection for whistleblowers, with any whistleblowers having access to report suspected incidents and hold confidential discussions with members of the audit committee. It is therefore important that the audit committee maintains a receptive attitude, as it may provide early warning signs of trouble and offer a quick response and resolution to potential problems.
Disclosure of non-audit services
The UK Bill would give the Secretary of State power to pass regulations requiring companies to publish information about the nature of any services provided to them (or their associates) by their auditors, and the remuneration, expenses and benefits-in-kind received or receivable for such services.
Such disclosure is likely to be made either in notes to a company's annual accounts, in the directors' report, or in the auditors' report. At present companies that do not qualify as small or medium sized must include details of the aggregate remuneration paid to their auditors in respect of both audit and non-audit services. However, under the new regulations it is anticipated that all or most companies will have to provide a breakdown of all services provided and the cost of each component.
The proposal in the Bill does not goes as far as Sarbanes-Oxley, which prohibits auditors from providing any such services to their clients, although tax advice and certain other services can be provided with the prior approval of the company's audit committee and if the approval is disclosed in the company's periodic reports.
The bottom line of the Sarbanes-Oxley Act and of future UK legislation is that top management will now be under more watchful eyes, and will be held directly responsible for their company's financial statements and internal controls systems.
David Saunders is associate managing director, forensic accounting and litigation consulting, Kroll, Tel: 020 7029 5000, E-mail: dsaunders@krollworldwide.com.